5

Google recommends and packs in ProGuard for code obfuscation. However the default configuration that it comes with seems minimal and one can reverse engineer to certain extent. Most people looking to reverse engineer are not really looking for detail code, but may be extract the logic. Are there any guidelines so as to configure ProGuard more efficiently ?(Something to the extent Javascript is minimized would be good.)

Secondly, there are tools like apktool that enable extracting the Manifest as well as the resource files. And there is no level of obfuscation in them. These can certainly reveal few things. Are there any ways to avoid this from happening ?

advantej
  • 20,155
  • 4
  • 34
  • 39
  • 1
    Obfuscation really only protects anything within the self-referential private world inside a program where figuring out what some block of obfuscated code does is a problem unique to the study of that application. Interfaces to the android platform are standard, so even if they were obfuscated someone would quickly write a tool to reverse that (look at optimized DEX for a parallel example) You can encrypt your resources, but you'll have to decrypt anything you want to display or play, at which point a modified platform can grab the decrypted version. – Chris Stratton Apr 14 '11 at 16:49

2 Answers2

7

For the first part, I suggest you to check this question: Android Game Keeps Getting Hacked . It does not address directly ProGuard, but it does give you some ideas on how to reduce pirating.

For the second part, I'm afraid no, it's not really possible, since those are plain xml files. What you can do is to reduce the use of resources and create the logic directly in java. That will reduce the exposure of your code in three ways:

(1) the obvious, it shows less easy-to-read xml code

(2) it creates much longer smali files, which are not easy to follow to begin with: consider that the variables in the smali file do not have names, but numbers, and are reused several times, thus making them even harder to understand. V1 can be a TextView first, and then an int, and then a private static method.

(3) it reduces the use of hex IDs that are very easily searchable on the smali file using the table from public.xml.

When I was porting the TouchWiz framework to some custom ROMs, I even made a small java app to automate the ID recognition (the xda-developers post is here), so you can imagin how easy is to follow them.

Community
  • 1
  • 1
Aleadam
  • 40,203
  • 9
  • 86
  • 108
1

You can now use a new gradle plugin + library to effectively obfuscate Strings in a class, Please check it here

https://github.com/MichaelRocks/paranoid

Also now there is a new plugin which can obfuscate resources also, please check it below

https://github.com/shwenzhang/AndResGuard

And help share this great information, so more developers can use it and thus more and more developers will contribute for further development of these plugins, and thus we can collectively improve these plugins.

Vaishakh
  • 1,126
  • 10
  • 10